This is a nonexistent vulnerability. The unsanitized variable
referenced is only used in the Javascript on the page and is never
passed back for processing by the PHP code, much less in any SQL
statement. Furthermore, the page that this summary references is only
accessible by users who have administrative access to the site and
not by random external users.

In the future Mr "xoxland", it might be good for you to let the
developers of the software know about your discoveries before you go
public with them. In this way, you can avoid the embarrassment of
issuing false advisories as well.

Victor

*definitely NOT speaking for the MODx dev team - these are personal
opinions*